Technology Transfer from Security Research Projects A Personal - - PowerPoint PPT Presentation
Technology Transfer from Security Research Projects A Personal Perspective N. Asokan Aalto University & University of Helsinki http://asokan.org/asokan/research Five examples Optimistic Fair Exchange Generic Authentication
A Personal Perspective
Aalto University & University of Helsinki http://asokan.org/asokan/research
2
3
4
A-item A-exp B-item B-exp B-item A-item
Gradual Exchange protocols Trusted Third Party protocols
5
– design protocol that is efficient for the common case – but allows recovery in case of exceptions
– Effectiveness – Fairness – Timeliness – (Non-invasive)
6
A-item A-exp B-item A-item A- permit B-item B-exp B- permit A- permit B- permit
? Resolve Alice Bob http://www.semper.org/ generate generate
7
B-item B-exp B- permit B- permit
Resolve
if A-item matches B-exp
A-item B-item
Alice extract
8
A-item A-exp B-item A-item A- permit B-item B-exp B- permit A- permit B- permit
? ? ? Abort Resolve Resolve Alice Bob http://www.semper.org/ generate generate
9
B-item B-exp B- permit A- permit
Abort
If not resolved, issue abort token
A- permit B- permit
Resolve
If not aborted, and if A-item matches B-exp
A-item B-item
Resolve for Bob is similar Alice Alice extract
10
desc
True/False
verifyEnc recover
secret secret secret
11
Prover Verifier Setting: secret = s G1, desc d = gs (in G2)
s0 R G1, v ← gs0 s1 ← s0 – s Ei ← Enc(ri, si), i={0,1}
v, E0, E1
b R {0,1}
b rb, sb
(db . gsb = v?) && (Enc(rb, sb) = Eb?)
Verifier TTP
E b
s 𝑐 ← Dec(E b)
s b
s ← sb + s b
verifyEnc recover Repeat n times (cut-and-choose)
12
A-item A-exp A- permit
= Verifiable Encryption of +
A-exp
= desc. of
B-item
[ASW00] “Optimistic Fair Exchange of Digital Signatures”, JSAC 18(4): 593-610 (2000)
13
– Wants to monetize every transaction!
14
Prover Verifier Setting: secret = s G1, desc d = gs (in G2)
s0 R G1, v ← gs0 s1 ← s0 – s Ei ← Enc(ri, si), i={0,1}
v, E0, E1
b R {0,1}
b rb, sb
(db . gsb = v?) && (Enc(rb, sb) = Eb?)
Verifier TTP
E b
s 𝑐 ← Dec(E b)
s b
s ← sb + s b
verifyEnc recover Repeat n times (cut-and-choose)
15
Prover Verifier Setting: secret = s G1, desc d = gs (in G2)
s1 ← s0 – s
v, E0,Cert s1
(d . gs1 = v?) && verify(Cert)
Verifier TTP
E0
s0 ← Dec(E0)
s0
s ← s0 + s1
verifyEnc recover Repeat n times (cut-and-choose) Pre-paid coupons bought from the TTP to be used for every optimistic transaction!
s0 R G1, v ← gs0 E0 ← Enc(r0, s0) Cert ← SigTTP(v, E0)
16
– Wants to monetize every transaction!
– Reputation systems – In-line TTP (e.g., E-bay escrow service)
17
18
– Wants to monetize every transaction!
– Reputation systems – In-line TTP (e.g., E-bay escrow service)
http://logging.apache.org/log4j/2.x/
19
– “the more (independent) parties you require for your scheme, the less likely it will be deployed”
– MANETs anyone?
– “Good enough beats perfect”
Skip to summary
20
21
– “Global PKIs will not happen”
– e.g., Coke vending machine accepting payments via SMS, 1997
22
CA
Global Cellular Authentication/authorization Infrastructure
Home Security Server Serving Network
K IK, CK Authentication & Key Agreement (AKA) K IK, CK PKD/SKD
SP RA
CertD
23
Architecture (GBA)
Servers
certificates”
Bootstrapping Server Application Server HSS Bootstrapping client Application client Bootstrapping Protocol Application Protocol Credential Fetching Protocol Key distribution Protocol User Equipment (UE)
[HLGNA08] “Cellular Authentication for Mobile and Internet Services”, Wiley, 2008 Relevant 3GPP documents: E.g., [33.919], [33.220]
24
– Variants: GBA and GBA_U (implemented in the smartcard, UICC) – GBA implemented for some services – none of which has taken off (e.g., Mobile TV), so far
– Bootstrapping: Facebook, Google, …
– Roaming: iPass, Shibboleth, …
– E.g., EAP SIM
25
Skip to summary
26
27
– Server auth. using TLS + user auth. with password – Authentication for VPN access using legacy credentials – Bootstrapping a “local PKI”
28
Provides mutual authentication
Home Security Server Serving Network K Latest SQN: SQNU K Latest SQN: SQNH
Rand K SQNH XRES AUTN IK CK Rand K AUTN RES SQN IK CK STOP if SQN SQNU STOP if RES XRES IMSI IMSI Rand, AUTN, XRES, IK, CK RAND, AUTN RES
29
Home Security Server Serving Network RA
STOP if SQN SQNU STOP if RES XRES IMSI IMSI Rand, AUTN, XRES, IK, CK RAND, AUTN RES
Cert Request Cert Response
(mutually) authenticated TLS channel
30
Home Security Server Serving Network RA
STOP if SQN SQNU STOP if RES XRES IMSI IMSI Rand, AUTN, XRES, IK, CK RAND, AUTN RES
Cert Request Cert Response
(mutually) authenticated TLS channel
MitM
IMSI RAND, AUTN RES
[ANN03] “Man-in-the-middle in Tunnelled Authentication Protocols”, Security Protocols, 2003
Channel binding: Use of cryptographic binding to compose two authenticated channels
31
– “But you are using the worst rackets in industry as a justification for what you’re doing. There are all sorts of people just generating garbage protocols, a couple of which you have already mentioned here. We’re trying to reverse their work, whereas you’re trying to advocate we use all these garbage protocols.”
– For an entertaining read, see transcript of discussion during my talk at SPW ’03!
– Closing down of ipsra working group; channel binding in IKEv2 – Continued attention: e.g., RFC 6813
32
Skip to summary
33
34
35
36
37
Car kits
– Allow hands-free phone usage in cars – Retrieve/use session keys from phone SIM – require higher level of security
passcodes
More secure = Harder to use?
38
Asymmetric crypto Key transport via OOB channel Unauthenticated Authenticated Symmetric crypto only Unauthenticated Authenticated Key establishment Key agreement
Short keys vulnerable to passive attackers Secure against passive attackers
39
vA and vB are short strings (e.g., 4 digits),
User approves acceptance if vA and vB match A man-in-the-middle can easily defeat this protocol
A B
vA← H(A, B,PKA|PK’B) vB← H(A, B,PK’A|PKB) vA vB PKA PKB
41
PKC1
C
PKA
A B
PKC2 PKB
Pick PKC2 by trial-and-error: H(A, B,PKA|PKC2) = v’B v’B ← H(A, B,PK’A|PKB) PKC1 v’A ← H(A, B,PKA|PK’B) PKC2
v’A v’B
v’B ← H(A, B,PKC1|PKB)
Guess a value SKC2/PKC2 until H(A, B, PKA|PKC2) = v’B If v’B is n digits, attacker needs at most 10n guesses; Each guess costs one hash calculation A typical modern PC can calculate 100000 MACs in 1 second
43
User approves acceptance if vA and vB match 2-l (“unconditional”) security against man-in-the-middle (l is the length of vA and vB) h() is a hiding commitment; in practice SHA-256
[LAN05] MANA IV, IACR report; [LN06] CANS ‘06
A
key agreement: exchange PKA, PKB
B
hA RB RA Calculate commitment hA← h(A, RA)
vA← H(A,B,PKA|PK’B,RA,R’B)
Verify commitment h’A≟ h(A, R’A) Abort on mismatch
vB← H(A,B,PK’A|PKB,R’A,RB)
vA vB Choose long random RA Choose long random RB
Send commitments Open commitments
44
Unauthenticated Diffie-Hellman Authenticated Diffie-Hellman short-string comparison short PIN Out-of-band channel WiFi Protected Setup “Push-button” NFC Bluetooth 2.1 “Just-works” NFC Wireless USB USB Cable
[AN10] “Security associations for wireless devices” (Overview, book chapter) [SVA09] “Standards for security associations in personal networks: a comparative analysis” IJSN 4(1/2):87-100 (survey of standards)
45
[UKA07] “Usability Analysis of Secure Pairing Methods”, USEC ‘07
46
Skip to summary
47
48
49
50
– More secure, sometimes more intuitive – More expensive, usually no trusted path to user, – Single-purpose or issuer-controlled
SW-only credentials HW credentials
51
– Introduced for manufacturer and operator needs – Not accessible for app developers
[EKA14] “The Untapped Potential of Trusted Execution Environments on Mobile Devices”, IEEE S&P Magazine, Jul-Aug 2014
52
Secure yet inexpensive
53
Centralized provisioning (smart cards)
Central authority Service provider Service user device Service provider Service provider Service user device Service provider Service provider Service provider
Open provisioning (On-board Credentials)
54
Mobile device Driver App Mobile OS Rich execution environment (REE) App Mobile device hardware with TEE support ObC Interpreter ObC scheduler
Trusted app dynamic state Trusted app persistent store I/O data Interpreted code Interpreter state Loaded trusted app
ObC API
Provisioning, execution, sealing
Trusted execution environment (TEE)
Device key & Device cert
55
Family secrets Family programs
FK
Principle of same-origin policy
56
PK User device Service provider
Enc(PK, FK)
establish new security domain (family)
AuthEnc(FK, hash(app)) + app
AuthEnc(FK, secret)
Certified device key PK Pick new ‘family key’ FK Encrypt family key Enc(PK, FK) Authorize trusted applications AuthEnc(FK, hash(app)) install trusted apps, grant access to secrets Encrypt and authenticate secrets AuthEnc(FK, secret) install secrets, associate them to family
Mobile Devices. Dissertation, Aalto University 2012. [KEAR09] “On-board Credentials with Open Provisioning”. ASIACCS 2009.
57
– RSA SecurID, SoftSIM
– Used for, e.g., MirrorLink attestation
– “who takes liability?” “avoid stepping on toes”
– Global Platform device committee – Open provisioning is elusive
TEE entryApp Mobile OS REE App Trusted OS
Trusted app Trusted appTEE Device hardware
[GP12] “A New Model: The Consumer-Centric Model and How It Applies to the Mobile Ecosystem”
58
59
– Don’t just guess security requirements; Ask stakeholders – Desiderata for deployment and research can be different – “90-10 rule” applies to deploying security
– Negative results are useful for security practitioners – Capturing researcher interest (Tech transfer) Impact – (Tech transfer) Impact Capturing researcher interest
– Address pain points - builds credibility with stakeholders – (Standardization) Politics can suffocate a good idea – Standardization can make a good idea see light of day
http://asokan.org/asokan/research